checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Checkov scan throwing CKV_K8S_31 even when seccomp runtimedefault is added under container securitycontext.

Open vishrane opened this issue 1 year ago • 7 comments

Describe the issue Checkov scan throwing CKV_K8S_31, even when seccomp runtimedefault is added under container securitycontext.

securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 10001 seccompProfile: type: RuntimeDefault

image

Examples Please share an example code sample (in the IaC of your choice) + the expected outcomes.

Version (please complete the following information):

  • Checkov Version [e.g. 22]

Additional context Add any other context about the problem here.

vishrane avatar Nov 24 '23 15:11 vishrane

hey @vishrane thanks for reaching out.

Can you share the whole template? We check each container of a Pod and if one of them has it not set, it will fail. For Deployments it has to be set globally and not for each container.

gruebel avatar Nov 24 '23 18:11 gruebel

template.txt @gruebel please find attached template for your reference. Thanks.

vishrane avatar Nov 27 '23 04:11 vishrane

@gruebel Your explanation has clarified the reason why this check fails for this template file. I just wonder, shouldn't we check all the Deployment containers anyway, because their setting override the Pod's level settings?

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

Saarett avatar Nov 27 '23 09:11 Saarett

yeah, that's true. I think we do that in some checks, but not all. This is one of them CKV_K8S_23 - Minimize the admission of root containers

gruebel avatar Nov 27 '23 13:11 gruebel

Sounds like an easy fix for me 😄 @vishrane Would you like to contribute the fix? The specific code file would be this one

Saarett avatar Nov 27 '23 14:11 Saarett

@Saarett could you please help us with the fix ?

vishrane avatar Nov 30 '23 08:11 vishrane

@vishrane Could you please assist by fixing that issue? I could assist with whatever needed 🙂 This is the relevant check

Another possibility would be skipping this check, until this issue is resolved.

Saarett avatar Dec 03 '23 10:12 Saarett

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

stale[bot] avatar Jun 15 '24 17:06 stale[bot]

closing by this https://github.com/bridgecrewio/checkov/pull/6459 Thx @rutiNalenger and @pninib

ChanochShayner avatar Jun 27 '24 10:06 ChanochShayner